Return-Path: <dkg@fifthhorseman.net>
X-Original-To: notmuch@notmuchmail.org
Delivered-To: notmuch@notmuchmail.org
Received: from localhost (localhost [127.0.0.1])
	by olra.theworths.org (Postfix) with ESMTP id 66FEF40DBFA
	for <notmuch@notmuchmail.org>; Tue, 16 Nov 2010 12:51:43 -0800 (PST)
X-Virus-Scanned: Debian amavisd-new at olra.theworths.org
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level: 
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5
	tests=[BAYES_00=-1.9, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from olra.theworths.org ([127.0.0.1])
	by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id p5QNvnjwzfiF for <notmuch@notmuchmail.org>;
	Tue, 16 Nov 2010 12:51:33 -0800 (PST)
Received: from rodolpho.mayfirst.org (mail.freitas.net [209.234.253.107])
	(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by olra.theworths.org (Postfix) with ESMTPS id 3C0CF40DDDF
	for <notmuch@notmuchmail.org>; Tue, 16 Nov 2010 12:51:33 -0800 (PST)
Received: from localhost (localhost [127.0.0.1])
	by rodolpho.mayfirst.org (Postfix) with ESMTP id 00A7A3CD51
	for <notmuch@notmuchmail.org>; Tue, 16 Nov 2010 15:51:31 -0500 (EST)
X-Virus-Scanned: Debian amavisd-new at rodolpho.mayfirst.org
Received: from rodolpho.mayfirst.org ([127.0.0.1])
	by localhost (rodolpho.mayfirst.org [127.0.0.1]) (amavisd-new,
	port 10024) with ESMTP id Y6T2pDeuuUOv for <notmuch@notmuchmail.org>;
	Tue, 16 Nov 2010 15:51:30 -0500 (EST)
Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated sender:
	smtpauth@rodolpho.mayfirst.org) with ESMTPSA id B5CED3CD24
Message-ID: <4CE2EECE.8060000@fifthhorseman.net>
Date: Tue, 16 Nov 2010 15:51:26 -0500
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US;
	rv:1.9.2.9) Gecko/20100918 Icedove/3.1.4
MIME-Version: 1.0
To: notmuch <notmuch@notmuchmail.org>
Subject: Re: a proposed change to JSON output to report verification of
	PGP/MIME signatures.
References: <4CDE4486.2050101@fifthhorseman.net>
	<87hbfhdpa6.fsf@yoom.home.cworth.org>
	<87wrod9gh8.fsf@servo.finestructure.net>
	<4CE2E819.1070808@fifthhorseman.net>
	<87sjz19ext.fsf@servo.finestructure.net>
In-Reply-To: <87sjz19ext.fsf@servo.finestructure.net>
X-Enigmail-Version: 1.1.2
OpenPGP: id=D21739E9
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature";
	boundary="------------enig3BB0C14B825463AF1AC7A227"
X-BeenThere: notmuch@notmuchmail.org
X-Mailman-Version: 2.1.13
Precedence: list
Reply-To: notmuch <notmuch@notmuchmail.org>
List-Id: "Use and development of the notmuch mail system."
	<notmuch.notmuchmail.org>
List-Unsubscribe: <http://notmuchmail.org/mailman/options/notmuch>,
	<mailto:notmuch-request@notmuchmail.org?subject=unsubscribe>
List-Archive: <http://notmuchmail.org/pipermail/notmuch>
List-Post: <mailto:notmuch@notmuchmail.org>
List-Help: <mailto:notmuch-request@notmuchmail.org?subject=help>
List-Subscribe: <http://notmuchmail.org/mailman/listinfo/notmuch>,
	<mailto:notmuch-request@notmuchmail.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Nov 2010 20:51:43 -0000

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig3BB0C14B825463AF1AC7A227
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 11/16/2010 03:44 PM, Jameson Rollins wrote:
> Aren't clients going to have to interpret/display the output regardless=

> of it's been verified or not?  It seems to me that understanding how to=

> display the verified output is really not that much more difficult than=

> understanding how to display the unverified output.

With json (and similar formats), it's easy to write a parser that says
"i know what to do with data member $foo -- give me that one".  This
lets you remain in blissful ignorance of data members $bar and $baz.

and if your backend suddenly starts throwing $qux at you as well, you
can just ignore it too, until you find you want to make use of it.

I imagine that someone writing a frontend would want to start with
things like message display, and not bother with fancier bits (such as
signature verification) until later.

frontends that know that their backend is somehow resource constrained
might also want to indicate to the user that a message claims to be
signed but not verify the signature unless the user asks for it.  (i
wish my current MUA had that feature, actually -- some messages i get
are signed but i don't personally need to verify them on every reload
(or even ever), depending on their content, but my MUA always makes me
wait for the verification process to happen.

To be clear -- i think that signature verification should be the default
situation for MUAs that are capable of doing it, but i don't think that
translates into --verify being on by default in
/usr/bin/notmuch.

	--dkg


--------------enig3BB0C14B825463AF1AC7A227
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCgAGBQJM4u7OAAoJEMzS7ZTSFznpwf4P/1DPv/CrXvZxRikBXUcfy8Mg
HtC27KJWHERvz71TeyOCgXmPgMKqOy/46iyvHvFJ3PRbiB63IOyxBzqtgmuyu35V
BBYJ+4sslmd0kVfKDBi6+uzjuLXTIxkuPlnNLtFxCONbxqJBV7ym7CJm2DTASwP/
OD3VJ68kdC6uaZn6mCVAmlkZSXbJ0fnI8EWBB0WBBwyPzY4ilCH7cy0FMJIp/LDs
0h4x6/wwcAUH8b6TgVp0OfH4iHi1QlzhZ9Dy7LD39rfHTu4rElTOTgEbv36yYsez
DrPwcBuWI7ahakqfmVPTnG3tjnmJ7he+CAtTL6AYSniNvnasnlhjK2pCPRllBqLI
Z86wY7kKIvk0CyOJhy4QxpfBgcOu0F44Dt7peNT4uBqXTUVZhCqTgGvUH9tmShHW
SO31pHHqDZPgK0PGfa5JLzYqubUketZLF01p1QM+7eohFJxSgz7J8vLfh/kLgUdV
7Q67Sp7jAnZ2l4c05UHsohVNwrVMKhZrPyIa/BVfQ5UrUlgYcsVO1TqP5rVUsJGq
oQ2fIyUVBm6WhOHlaNgVZvFcn5dZNksogtT1uf7OT8TIb/EPrZEsC9MvYtO12ZsU
E3+OX962EDJ+EADH3um4zcfFj57CJetbNIw96wZfpJVKiyqBmkQxY3XcwZn337ri
CkgpSH54cl7dWhizkTKi
=7uq2
-----END PGP SIGNATURE-----

--------------enig3BB0C14B825463AF1AC7A227--